-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fabrizio Buratta wrote:
Hi everybody.
I'm trying to mount an nfs server ( a raid5 nas ) on my centos4.
Afterward i want
a script inside apache cgi-bin directory to be able to do any file and
dir operations.
Let's say i want a context capable of apache r/w operations on my
mount dir, then i execute:
mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t
mynas:/external_dir /mnt/my_mount_dir
it does mount my external dir but if i execute ls -Z i see:
drwxrwxrwx 254 254 storage
Where's my context? obviously my script is not able to write on this
directory and selinux complains:
type=AVC msg=audit(1223458283.439:3794033): avc: denied { getattr }
for pid=21669 comm="python" name="var" dev=dm-0 ino=261121
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003
syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4
a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1223458283.439:3794033): path="/var"
type=CWD msg=audit(1223458283.439:3794033): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0
inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.050:3794034): avc: denied { search }
for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003
syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4
a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python"
exe="/usr/bin/python"
type=CWD msg=audit(1223458286.050:3794034): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.050:3794034):
name="/mnt/storage/nightly/testfile" flags=1 inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.051:3794035): avc: denied { search }
for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003
syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241
items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=CWD msg=audit(1223458286.051:3794035): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.051:3794035):
name="/mnt/storage/nightly/testfile" flags=310 inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
Of course i'm using a python script.
Until now i did not try to compile a local selinux policy in order
to allow that kind of operations ( i would avoid it if possible )
Any suggestion?
Thanks,
Fab.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You have two problems.
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t mnt_t:dir search;
You need to load a custom policy to allow you cgi scripts to read
through the /mnt directory
allow httpd_sys_script_t var_t:dir getattr;
This one does not make sense this rule should be allowed in all default
policies? What policy are you running. Apache scripts should be able
to search/getattr on var_t in order to use /var/www/
Neither of these avc's are much of a security risk to allow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5
HX4An26oG117iKH1aqsETEWJw9CrfiUf
=cY7A
-----END PGP SIGNATURE-----